Forum Moderators: coopster
What is the best way to password protect folders on high traffic sites?
How would I do this using the tutorial script I am using?
Am I going about this in the right way?
This is my first site using php, so please instruct me in simple language. Thanks so much!
What platform is your website on?
Do you have MySQL or another database available to you?
Thanks for responding!
I am on Apache version 1.3.29 (Unix). I have mysql, phpmyadmin, the works. The free script is a wonderful program called amember membership.cgi-central.net/scripts/amember/free.php The post in their forum about registrant limitations was answered by the developer of this program membership.cgi-central.net/forum/showthread.php?t=2440 I am presently using this program in the "FREE PAYMENT" mode. I have no idea why there is such a disparity in estimated membership between the free and the paid versions of this program. Going into amember's database, the id field is set at Type=int(11), Null=no, Extra=auto_increment. I wasn't sure if adding the Attribute=UNSIGNED, would increase the possible membership. It sounds like the developer does not feel the limitation is "hardcoded", so I don't know what creates a limitation.
I know nothing about registrant limitations relating to databases, and that is why I looked for another script option and started doing a little research. I would hate to put up a site, and disappoint everyone because they couldn't register!
If anyone has any ideas, I'd appreciate hearing from you!
[edited by: jatar_k at 7:51 pm (utc) on Mar. 3, 2004]
[edit reason] delinked [/edit]
I found an old post on amember's forum, so I don't know if this is specific to a particular version. However, it looks like this is a clue: membership.cgi-central.net/forum/showthread.php?t=1572&highlight=sign
It seems the limit is in the server's ability to handle the htpasswd file. It looks like a "php_include" rather than a htpasswd file, is the key (my protected folders use php and html pages). htpasswd only allows a limited number of user records.
Am I on the right track?
[edited by: jatar_k at 7:50 pm (utc) on Mar. 3, 2004]
[edit reason] delinked [/edit]
You may never get there - especially if you try to solve all problems before they occur.
As you know, I don't want to use htpasswd files, so I started reading about database authentication. The thing is, the passwords are encrypted in my database, and unencrypted when the user logs in.
Could someone please tell me how I should protect my folders from browser viewing, using the database I created in this tutorial?
CREATE TABLE users (
userid int(25) NOT NULL auto_increment,
first_name varchar(25) NOT NULL default '',
last_name varchar(25) NOT NULL default '',
email_address varchar(45) NOT NULL default '',
username varchar(25) NOT NULL default '',
password varchar(255) NOT NULL default '',
user_level enum('0','1','2','3') NOT NULL default '0',
signup_date datetime NOT NULL default '0000-00-00 00:00:00',
last_login datetime NOT NULL default '0000-00-00 00:00:00',
activated enum('0','1') NOT NULL default '0',
PRIMARY KEY (userid)
) TYPE=MyISAM COMMENT='Membership Information';
Please explain this in basic terms...I'm new to all of this, but I learn quickly!
Thanks so much!
Could someone please help? Thank you!
The thing is, the passwords are encrypted in my database, and unencrypted when the user logs in.
Typically, the user enters a plain text. For high-security, this is sent over a secure connection.
You then use the same encryption routine (typically md5) to turn the password into the encrypted form. md5 is a one-way encryption routine. That means that it's easy to encrypt, but difficult to decrypt.
You then match up the encrypted version of what the user typed in with what's in the database and let the user in.
Now set a session variable that flags a user as logged in or not. You may wish to do additional checks (if not page requested in more than x time or if login is not from same IP as previous page request, make user log back in). That would make it harder to hijack sessions, for example.
Does that help?
The membership tutorial I followed does use md5 encryption. I got the script to work fine. I also added links to folders dependent upon the registered user's security level. The problem I am having is that unregistered users can just type in the URL of the folders into their browser and get into the same folders, without registering. I don't want to use htpasswd files to secure these folders from outside eyes.
When I found this idea [php4hosting.com...] I thought I found the answer. It did cause a login box to pop up when an unregistered user typed a folder's URL. However, once I added the code to the top of a page in my folder, a registered user could no longer access that page. Somehow the added code did not recognize the user as registered.
To sum all of this up, my question is, how to protect my folders without using htpasswd files, while still allowing my registered users access?
In your config file (which is included in every page):
if (!isset($_SESSION['logged_in']) {
header("Location: login.php");
}
I tried to follow your suggestion. I added your code on top of one of my pages, between php tags. I first got a parse error, so I added a double )){ and again tried to get in through the browser. It worked and sent me to my login page. I closed the window and opened a new one, logging in as a user stored in my database. When I tried to access the page that I had added your code to, I was no longer able to get to that page, even though I was logged in. I kept getting sent to my login page rather than the page I wanted to access.
I am new to all of this, so simple explanations are much appreciated!
Thanks again for all of your help!
As for the rest, you need to start the session before you try to access the session vars. I guess that the first time through it lets you set the var, but then forgets it since you apparently don't have a session running.
Read up a bit on sessions, [us2.php.net] because there's a lot to know.
Basically, though, you need to have
session_start();
in your code before you do anything at all with $_SESSION variables
Tom
After the user logs in, he or she is directed to a php page:
<?
session_start();
if($_SESSION['user_level'] == 0){
include 'http://mysite.org';
}
if($_SESSION['user_level'] == 1){
include 'http://mysite.org/level1/index.php';
}
if($_SESSION['user_level'] == 2){
include 'http://mysite.org/level2/index.php';
}
if($_SESSION['user_level'] == 3){
include 'http://mysite.org/level3/index.php';
}
?>
This then sends them to the areas I want to restrict. I see the session_start you spoke about. When I put your code on top of the level2/index.php page to stop browser viewing, the user no longer gets sent to level2/index.php .
Unfortunately, when I try to read the manual, it is like reading a foreign language.
<?
session_start();
if (!isset($_SESSION['user_level'])) $url = '/login.php';
else if ($_SESSION['user_level'] == 0) $url = '/';
else if ($_SESSION['user_level'] == 1) $url = '/level1/index.php';
else if ($_SESSION['user_level'] == 2) $url = '/level2/index.php';
else if ($_SESSION['user_level'] == 3) $url = '/level3/index.php';
header("Location: $url");
?>
The browser viewers got the "Access denied" message, but so did the registered users. I tried this with and without the "session_start();" line. I even tried changing the "if" line to:
if ($_SESSION['user_level'] == 2) {
I still got the "Access denied" message for registered users. As soon as I removed the php lines, the registered user could access the page again, and so could the browser user.
I'm stumped!
No variables are being passed! Why? Weren't there session variables in the page before this (the "include" page with links I posted earlier)? The variables must have existed on the previous page, or I wouldn't have arrived at the correct folder.
If you have session_start() on page 1, you will have session vars there.
If you go to page 2 and do not call session_start(), you have no session vars available.
After reading countless tutorials, checking that my session variables were registered, and that each page began with session_start(); , it still wouldn't work. I couldn't figure out why the variables were on one page, but not on the next. I just used Jatar_k's example on one page, and sure enough, it worked. I'll work on all my other pages tomorrow.
Will I need header locations on each of my pages? Some of the pages have html page choices, so I won't know where the user wants to go next. I am hoping that if the first page in the folder has the variables and I don't forget "session_start();" on the top of each page, I'll be fine.
Jatar_k, you are brilliant. I've spent so many days on finding an answer, and you have no idea how much I appreciate this. Thank you!
Thanks to everyone who spent so much time helping me out! I learned a lot!
you are brilliant
That's the overstatement of the month.
glad to help ;)
